Security: Missing X-Frames-Options Header

back to issues overview

Missing X-Frames-Options Header

URLs missing an X-Frame-Options response header with a DENY or SAMEORIGIN value.

This instructs the browser not to render a page within a frame, iframe, embed or object.

This helps avoid ‘clickjacking’ attacks, where your content is displayed on another web page that is controlled by an attacker.

How to Analyse in the SEO Spider

Use the ‘Security’ tab and ‘Missing X-Frames-Options Header’ filter to view these URLs and export all URLs using the ‘Export’ button.

What Triggers This Issue

This issue is triggered when a URL is missing the ‘X-Frame-Options’ HTTP header with a DENY or SAMEORIGIN value.

For example:

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN

How To Fix

To minimise security issues, the X-Frame-Options response header should be supplied with a DENY or SAMEORIGIN value.

Further Reading

Back to top